1. User Linking Issues Between SP & IdP-Initiated Logins
No, this behavior is not expected—you should not need to drop and re-link users every time they switch login methods.
Troubleshooting Steps:
Are these configured as two separate Identity Providers in FusionAuth?
If so, ensure they are
both linked to the same FusionAuth user.
If they are separate, FusionAuth may be treating them as
different authentication sources, causing conflicts.
Is Azure using the same application for both login flows?
If different applications are used in Azure, they may be
sending different user identifiers to FusionAuth.
Enable Debug Logging in FusionAuth:
Go to
System > Event Log and enable
Debug Mode in the Identity Provider settings.
Compare the
SAML attributes (claims) being sent in SP vs. IdP-initiated logins.
If they differ, you may need to
adjust Azure’s claim mappings to ensure consistency.
2. Ensuring Correct Redirect URL in IdP-Initiated Flow
Yes, RelayState works in FusionAuth, but there are specific requirements:
Check Your FusionAuth Version
RelayState support was added in FusionAuth 1.41.0+.
If you are on an
older version, FusionAuth will default to the first redirect URL in the list.
Correct RelayState Configuration
Ensure the target redirect URL is listed as an "Authorized Redirect URL" in the FusionAuth application settings.
URL-encode the redirect URL before appending it to RelayState.
Example:
https://example.com/welcome → https%3A%2F%
2Fexample.com%2Fwelcome
Append the encoded URL to the ACS URL in Azure.
Example ACS URL with RelayState:
https://your-fusionauth-instance/samlv2/acs?RelayState=https%3A%2F%2Fexample.com%2Fwelcome
Test by logging in via IdP-initiated flow and checking if FusionAuth respects the RelayState.
Additional References:
SAML Redirects in FusionAuth
IdP-Initiated SAML Login
Summary:
User linking issues are likely caused by different
SAML claims or separate Identity Provider configurations in FusionAuth.
Enable debugging to check for mismatched attributes.
RelayState should work in IdP-initiated logins if you are on
FusionAuth 1.41.0+, URL-encode the redirect URL, and ensure it is
allowed in the application's settings.